NGINX Plus Release 7 (R7) greatly improves TCP load balancing with additional features to help you better secure your TCP applications against external threats. Tuning of TCP load balancing is also more flexible thanks to new configurable parameters. This post covers the new features in detail, explaining how to use them to accelerate, secure, and scale your applications that communicate over TCP.

Editor –

NGINX Plus R9 and later extends support for the features described here to UDP traffic.

Apply Access Control and DDoS Protection to Secure Your TCP Services

NGINX Plus R7 introduces access controls, connection limiting, and bandwidth limits for TCP traffic. NGINX Plus now provides the same level of security and DDoS protection for TCP applications as for HTTP applications.

Access Controls

You can now allow or deny traffic to proxied or load‑balanced TCP servers based on specific client IP addresses and ranges. This is great for quickly blocking IP addresses that are attacking you or are known to be malicious (like those listed at Project HoneyPot). The configuration is fairly simple.

server {
# ...
deny 72.46.166.10;
deny 73.46.156.0/24;
allow all;
}

The first deny directive blocks one IP address and the second a range of addresses, with all other addresses allowed through by the final allow all directive. The logic can also be reversed by allowing access from the IP addresses you specify and blocking everyone else with a final deny all directive.

Connection Limiting

With NGINX Plus R7 you can limit the number of connections that clients can make to TCP applications proxied by NGINX Plus. Perhaps one part of your application is slower than other parts, for example if a request to that part generates a lot of database calls or in general initiates a lot of work on the back end. Attackers can exploit this by having hundreds or thousands of computers repeatedly making that same request.

With connection limiting, you can minimize the effect of these attacks by limiting the number of connections the attackers can make. This limits the power of each individual computer used in an attack.

Bandwidth Limiting

NGINX Plus R7 includes new functionality to limit upload and download speed for each connection. Capping bandwidth slows down greedy downloaders.

server {
# ...
proxy_download_rate 100k;
proxy_upload_rate 50k;
}

With these settings a client can download data through a single connection at a maximum speed of 100 kilobytes per second, and upload data through a single connection at a maximum speed of 50 kilobytes per second. Keep in mind, however, that clients can open multiple connections. If the goal is to limit overall speed of loading per client, you must also limit the number of connections to one as described in the previous section.

More Configurable Load Balancing

With R7, we’ve added more configurable options to help you get the most out of NGINX Plus’ TCP load‑balancing capabilities.

Binding to a Specific IP Address

You can specify the IP address that NGINX Plus uses when talking to the backend servers it proxies. Include the proxy_bind directive:

In this example, NGINX Plus uses 192.168.1.100 as its address for all connections to the servers in the backend upstream group.

PROXY Protocol Support

NGINX Plus R7 adds support for the PROXY protocol. This provides a convenient way to safely transport connection information, such as a client’s IP address, across multiple layers of proxies.

A great use case comes from an NGINX customer that needed to decrypt a large volume of SSL traffic, more than a single NGINX instance could handle. The customer implemented two tiers – a frontend NGINX cluster that load balances TCP traffic across a larger secondary cluster that terminates the SSL connections.

The proxy_protocol directive is used to forward the client IP address to the second tier so it can be added as a header in the decrypted HTTP traffic.

Other Enhancements

There are a couple of other enhancements to TCP load balancing in NGINX Plus R7:

The new backlog parameter to the listen directive limits the length of the queue of pending connections.

Comparing NGINX Plus and Open Source NGINX

Both NGINX Plus and the open source (F/OSS) NGINX software support TCP load balancing. NGINX Plus adds features that enhance TCP load balancing and provide more visibility into the load‑balanced traffic. The following table compares the two.

Upgrade or Try NGINX Plus

If you’re running NGINX Plus, we strongly encourage you to update to Release 7 as soon as possible. You’ll pick up a number of fixes and improvements, and it will help us to help you if you need to raise a support ticket. Installation and upgrade instructions can be found at the customer portal. Not using NGINX Plus yet? Give it a try for free today!

Have a Cookie? :)

Our site uses cookies to provide functionality and performance as well as for social media and advertising purposes. Social media and advertising cookies of third parties are used to offer you social media functionalities and personalized ads for NGINX content and offers. To get more information about these cookies and how we process personal data, check our Privacy Policy. Do you accept the use of cookies and the processing of personal data involved?

Your Cookie Settings

Site functionality and performance

These cookies are required for NGINX site functionality and are therefore always enabled. These include cookies that allow you to be remembered as you explore the NGINX site, help make the shopping cart and checkout process possible as well as assist in security issues and conforming to regulations. To use the NGINX website, you have to consent to these cookies and the processing of personal data according to the NGINX website terms of use and privacy policy.

Social media and advertising

Social media cookies offer the possibility to connect you to your social networks and share content from our website through social media. Advertising cookies (of third parties) collect information to help better tailor NGINX advertising to your interests, both within and beyond NGINX websites. De-selecting these cookies may result in seeing advertising that is not as relevant to you or you not being able to link effectively with Facebook, Twitter, or other social networks and/or not allowing you to share content on social media.